The scourge of fake accounts: Why so many, what to do?

Every account matters

In a recent article with the headline “Gone in 24 hours,” we wrote about how and why a single day is more that enough time for cybercriminals to set up and pull off an attack, even if it involves buying a fake online domain, setting up a bogus website at that domain, and spamming out thousands or even millions of users to lure them in.

In a typical phishing attack, the goal is to trick you into thinking you are logging into an legitimate site so that you enter your username, password, and perhaps your multi-factor authentication (MFA) code into a look-alike page.

For this purpose, the criminals generally set up their own server, so they don’t need accounts on anyone else’s service in order to interact with you to steal your data.

Their ultimate goal is to get into and take over an existing account of yours, perhaps so they can sell on access to your computer or your company’s network to other criminals, for example to install data stealing malware or to pull off a ransomware attack.

As you can imagine, passwords for stolen social media accounts aren’t as valuable to cybercriminals as access codes for remote access to corporate networks, or to banking apps and cryptocurrency wallets.

But almost all purloined accounts have resale value in the cyber-underworld of so-called Initial Access Brokers, or IABs.

Notably, access to your social media or instant messaging accounts can give scammers a direct line into your own closed groups of friends and family, for example to promote investment scams, conduct cryptocurrency fraud, or trick them into installing rogue software.

A direct message that actually comes from your account, even if you didn’t send it yourself, is much more likely to be believed and acted upon by someone who knows and trusts you than a spam email message from someone they’ve never heard of before.

And some cybercriminals go after established social media accounts simply because they have sufficient account history to evade informal detection as obvious sockpuppets, catphish, stalkers, or other purveyors of fake news and scams.

Established accounts not only have a creation date more than a few days old, but generally also have a genuine-looking profile picture, a realistic posting history, a reasonable number of followers, and so on.

Sockpuppet, if you aren’t familiar with the term, is a metaphor (think of how the Muppets work) for an account that is deliberately operated under a fake name, typically to make a scammer’s posts look more believable and more interesting (or controversial, or important) than they really are. Fake reviews of low-quality or outright fraudulent products are an obvious example. And a catphish is a very particular form of bogus account – one that passes itself off as belonging to a likable and trustworthy individual, for example by lying about gender, age, appearance, education, location and more. Typically, catphish accounts are used to lure victims into one-to-one online relationships that end in financial fraud, online abuse, physical stalking, or worse.

Strength in numbers

But some cyber-scammers and criminals are more interested in brand new accounts in huge numbers, notably on social networks, that they can operate and control directly, right from the outset.

Many of these accounts may never reach a sufficient level of longevity and believability to make credible sockpuppets or catphish, but:

• Some will likely survive long enough to become useful or even saleable accounts themselves. Starting with 1,000,000 brand new bogus accounts today, a criminal with a whopping 99.9% failure rate over the next month will nevertheless end up with 1000 established accounts that weren’t taken over from someone else, and therefore aren’t at risk of being contested and reclaimed by an original owner.
• Even short-lived or unbelievable accounts can influence online behavior. When you see a interesting post that’s been liked by 10 people, you might be inclined to view the list of ‘likers’ as something of interest in its own right. But a post that’s liked 1000 times is unlikely to attract like-by-like scrutiny in this way, even though the sheer volume of likes may influence other users and the site’s recommendation algorithms very strongly.

This, of course, raises the question, “But what’s the chance of any cybercriminal gang accumulating a million fake accounts this month just to land up with 1000 accounts left at the end?”

Answering that question is surprisingly tricky, not least because different people, and different services, define fake accounts and bogus users in different ways.

Some services are happy with pseudonyms, or even with deliberately fake names created for humor or parody, as long as you provide a working email address; some may consider you “identified” as long as you supply an active mobile phone number; others may insist on real names and a stronger verification of identity and location up front.

But the scale of fake account creation is certainly implied, if not proved, by this data from statistics-gathering outfit Statista.

We already published the company’s LinkedIn fake account data in the “Gone in 24 Hours” article we mentioned above:

Perhaps the most intriguing thing about this graph is the legend, describing the black squares in an upbeat way as accounts that were removed “proactively,” even though they were created and used by their creators for an unspecified time, and then removed reactively, albeit before any human complained.

And, as we mentioned before:

Figures for LinkedIn’s true growth, in other words the increase in non-fraudulent user accounts whether active or not, suggest that about 60 million to 70 million new accounts are created every year.

There would therefore seem to be about at least twice that many attempts to create fake accounts, of which close to 40 million succeed at least for a time. (And that, of course, is just the fake accounts that are spotted and removed.)

For Facebook, the number of fake accounts recorded in Statista’s data was significantly higher than on LinkedIn, and these numbers explicitly include personal accounts used for business or “non-human” purposes:

Again, these figures don’t tell us how many fake accounts went unreported or undetected, or how long those known-fake accounts lasted before being taken down.

Lastly, here is Statista data for TikTok, but this time we have chosen numbers that illuminate a different angle on the problem, showing the number of fake endorsements that were taken down, regardless of whether the accounts behind those endorsements were removed or allowed to continue operating:

Those 2023 fake interaction figures, representing online endorsements that happened but were later deemed dishonest and removed, add up to nearly 5 billion.

There are approximately 10π million seconds per year (that’s a handy shortcut to remember, accurate to within 0.5%), so the rate of TikTok “endorsement chicanery” works out at more than 150 bogus likes and follows every second, once again excluding the ones that weren’t noticed, that no one reported, or that were reported but ultimately not removed.

What does this mean?

Clearly, automated tools alone are woefully inadequate in preventing fraudulent social media behavior, though they can clearly help in mopping up the damage after the fact.

According to the LinkedIn figures above, 88.8 million fake accounts were stopped during registration in 2023, but 32.2 million were only detected after activation, meaning that Microsoft’s automated tools let through more than one in every four unwanted account registrations.

The value of fake accounts, both as original promoters of fraudulent schemes, and as sockpuppets used to provide an aura of legitimacy for those frauds, is clear from the sort of online scams that you may already have encountered yourself (whether you were sucked into them or not), or have read about in scam warnings.

Examples include:

• Fake vacation destinations. With many legitimate holiday lets, notably including big hotel chains, offering discounted rates for paying at the time of booking with no cancellation allowed, it’s easy to see how people fall for holiday stay scams that promote payment well in advance for destinations that don’t even exist. Because the booking appears to have worked, many victims don’t realize they’ve been fleeced until they arrive at their non-existent ‘hotel’ and are stuck with the expense of finding somewhere to stay at the last minute.
• Fake event tickets. In most cases, the events are real, though legitimate tickets may have sold sold out quickly, with some disappointed fans willing to risk buying off-market or “scalped” tickets instead. Genuine-looking tickets may actually arrive, which reduces the chance of victims spotting they’ve been cheated, and thus of warning others. Only at the entrance barrier will the tickets be detected and rejected as the worthless forgeries they are.
• Real products that never show up. Genuine products, typically with a good reputation, will typically be offered in a ‘limited-time offer’ for a good price, or attractive products that aren’t available locally will be offered via the ‘grey market’ (which is generally not illegal, but simply means that the product will be bought in and shipped from another country). Even if you get your money back from your payment card company, the criminals may well have cashed out already, so the economy as a whole pays the price.
• Fake products that never show up. This is an obvious variant on the previous item: you pay for a product that has upbeat marketing material, apparently offered by a genuine company with numerous ringing endorsements from a battery of sockpuppet accounts, only to find that the ‘remarkable new’ product that was a ‘game changer’ existed as social network posts only.
• Investment and cryptocoin scams. If you treat this sort of service as a ‘fake product’, this sort of scam sounds much the same as the previous one, because you are paying for something that isn’t real. But an important and often compelling difference is that victims are often drawn in by their own friends and family, who were themselves seduced by regular, persuasive contact from the criminals, combined with a fake app, a fake website, and fake financial data that made it look as though they really did have an ‘investment’, and that it was growing steadily and reliably.
• Romance scams. Here, low-tech scammers need only one or two fake online accounts per victim, for example one with a dating site and another with an online messaging service. These are catphish accounts – typically fake romantic partners with profile data liberally stolen from other people’s accounts – but they don’t need a sea of other accounts to back them up with sockpuppetry. They develop a highly personal one-to-one relationship with their victims that tragically often includes separating them from their family and their true friends as well as from their money.

What to do?

With thousands, millions, even billions of fake accounts vying to defraud you on social networks, automated tools and technological solutions simply aren’t enough, though they can help significantly.

So, here are four simple tips:

• Keep your endpoint security and anti-phishing tools up active and up-to-date. Even if LinkedIn lets through one in every four fake accounts, and your anti-phishing filter lets through one in every four fake websites promoted by those accounts, that sort of automation nevertheless reduces your risk, loosely speaking, to 1/4 of 1/4 of what it would have been otherwise, which cuts out 15/16ths of the problem before it can affect you at all.
• Don’t pay attention to 5-star reviews and positive endorsements for a little-known product. They could have been left by anyone, and probably were. Even legitimate third-party review sites or app stores can be flooded with upbeat comments from sockpuppets, so always be sure to form your own judgment, based on as much objective information you can gather. If you aren’t sure, ask a long-term friend whom you know, and like, and trust.
• If it sounds to good to be true, assume that it is. If you’re inclined to think that a site, or person, or product, or service might not be everything that it claims to be, back yourself and bail out, because you are probably right. And if you notice that even one fact or claim is clearly untruthful, consider that as immediatet proof that your suspicions are correct.
• Consider reporting fake accounts or bogus interactions. Most large-scale online community sites have tools for reporting obvious scams and frauds. These reporting tools don’t always convince the platform to agree with your opinion, but the more people who submit reports, the more likely a bogus account will be shuttered. Learn how to use the reporting tools of the sites you use the most, and don’t always be the person who leaves it to someone else.
• Pick a human-centered cybersecurity partner to help you guard your business. As the graphs above remind us all, reducing the problem automatically to 1/16th, or 1/64th, or even 1/1024th of its initial size still leaves you and your company with a lot to defend against. Be sure to pick an security provider who puts the M, and the S, and the S, and the P into MSSP!

Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image of masked person by Anna Deli via Unsplash.